Lync Server 2013 Preview and Windows PowerShell: The Cure for the Post-Olympic Blues

Feeling lost now that the 2012 Summer Olympics are over? Here's a suggestion: take a peek at some of the things you can do with Windows PowerShell and Microsoft Lync Server 2013 Preview. We have a feeling it won't be long before you forget all about the 2012 Summer thingy.

Author: Greg Stemp, Microsoft Senior Programming Writer

Publication date: September 5, 2012

Product version: Microsoft Lync Server 2013 Preview

Now that the 2012 Summer Olympics have come to end (not to mention the series premiere of the new comedy Animal Practice, which, for some strange reason, was stuffed right in the middle of the closing ceremonies), many of you are probably sitting around thinking, "Man, both the Olympics and the series premiere of Animal Practice are over. Now nothing interesting or exciting is going to happen until the 2016 Summer Olympics in Rio de Janeiro. "

At least not until the next episode of Animal Practice.

Disclaimer. OK, admittedly, the author of this article didn't actually watch the series premiere of Animal Practice. However, he has learned that one of the stars of the show, Crystal the Monkey, is a bonafide movie star: Crystal has appeared in a ton of movies, including The Hangover Part II, Zookeeper, and Night at the Mus. Granted, in each of those movies Crystal the Monkey played a, well, a monkey. But, still ….

Fortunately, we have good news for those of you who are worried that it'll be four more years before anything interesting or exciting happens again: Something interesting and exciting is actually happening right this very instant! We kid you not. You probably already know that Microsoft has released Lync Server 2013 Preview. But what you might not know is this: The new edition of Lync Server contains about 190 brand-new Windows PowerShell cmdlets. Is that good? Let's put it this way: Many people find that way more interesting and way more exciting than watching Michael Phelps win four more gold medals or Usain Bolt vanquish everyone the world in the 100- and 200-meter dashes.

Note. OK, so maybe we can’t actually think of anyone who really does find that more exciting than watching Michael Phelps or Usain Bolt. But we're pretty sure they're out there; hey, there were people who found Animal Practice interesting and exciting, weren't there?

OK, so maybe we can't actually think of anyone who really– well, never mind. You get the idea.

Good question: what is the one thing that makes the PowerShell cmdlets in Lync Server 2013 Preview more exciting and more breathtaking than watching Gaby Douglas on the uneven parallel bars? Well, that's the cool part: there isn't just one thing that makes these new cmdlets so exciting and breathtaking. Instead, there are a whole bunch of things that make the PowerShell cmdlets that ship with Lync Server 2013 Preview so exciting. And, just to prove it, here are three of those things.

1: You can use these cmdlets to determine the effective policies for a user!

Remember the opening ceremonies of the London Olympics, when the Queen of England parachuted into the stadium from a helicopter? What most people don't know is that the original plan was for the Queen to do something really cool: she was going to walk into the stadium and use Windows PowerShell to determine the effective Lync Server 2010 policies applied to a user account. So why didn't they do that? That's easy: no one could actually figure out how to do that. That's why they went to Plan B, which had the Queen parachuting out of a helicopter.

Note. OK, technically that was Plan C, which they had to go to after Crystal the Monkey categorically refused to parachute out of a helicopter.

Oh, another good question: what exactly do we mean when we talk about the "effective policy" for a user? To explain that term, let's take a peek at some of the information we get back when we run the Get-CsUser cmdlet against Ken Myer's user account:

Identity : CN=Ken Myer,CN=Users,DC=litwareinc,DC=com

VoicePolicy :

VoiceRoutingPolicy :

ConferencingPolicy : LocalConferencingPolicy

PresencePolicy :

DialPlan :

LocationPolicy :

ClientPolicy :

As you can see, Ken Myer's account is managed by using the conferencing policy LocalConferencingPolicy. However, it would appear that Ken isn't managed by using any other Lync Server policies: everything else is blank.

Which is all well and good, except for one thing: in Lync Server it's impossible for a user to go unmanaged. Instead, pretty much every facet of every user account is managed by using some kind of Lync Server policy. So then why is it that only the conferencing policy shows up when we run the Get-CsUser cmdlet?

Here's why. As it turns out, Get-CsUser only shows you the per-user policies that have been explicitly assigned to your user account. If something shows up blank (like VoicePolicy) that doesn't mean that Ken doesn't have a voice policy; it just means that he hasn't been assigned a per-user voice policy. Instead, Ken must be managed by a different kind of policy: the global policy; a site policy; or, in some cases, a service-scoped policy. But Get-CsUser doesn't care about those other policy types; the cmdlet only shows per-user policies.

Is that a problem? For the most part, no … unless, of course, you're doing troubleshooting and you really, really need to know if Ken is managed using a global policy or a site policy. But in Lync Server 2010 there's no easy way to do that using Windows PowerShell.

Note. There is a somewhat complicated way of doing this. See the article Return the Effective Policy Assignments for a User for details.

As you might have already guessed, things are much easier in Lync Server 2013 Preview, thanks to the aptly-named Get-CsEffectivePolicy cmdlet. Need to know the effective policy assignments for Ken Myer? Then do what Crystal the Monkey would do.

And when you're done doing that, run this command:

Get-CsEffectivePolicy –Identity "Ken Myer"

Here's the kind of information you'll get back:

Identity : Ken Myer

ConferencingPolicy : Tag:LocalConferencingPolicy

PresencePolicy : Global

LocationPolicy : Global

VoicePolicy : Site:Redmond

LocationProfile : Global

ClientVersionPolicy : Site:Redmond

ClientPolicy : Global

Pretty slick, huh? Now you can see why we didn't publish this article while the Olympics were still going on: we were afraid the US women's soccer team would get so excited that they'd spend all their time retrieving the effective policies for one another and end up forfeiting their gold medal match with Japan. And we didn't want to have that on our consciences.

2: You can use these cmdlets to create custom RBAC roles!

In the London Olympics, at the conclusion of the women's gymnastics team competition, the TV cameras lingered on the Russian gymnasts, most of whom were sobbing uncontrollably. Were these girls crying because they had just lost the gold medal to the US?

Well, as a matter of fact, that is why they were crying. But facts like that don't fit in very well with our article; therefor, let's pretend that this is why the Russian gymnasts were crying: they were crying because they were using Lync Server 2010 and they just realized that there's no way to create custom RBAC (role-based access control) roles.

OK, we know what you're saying: you're saying, "Hey, you can create custom RBAC roles in Lync Server 2010; that's what the New-CsAdminRole cmdlet is for."

Well, you're right: you can create custom RBAC roles in Lync Server 2010 … sort of. The fact of the matter is that you can create custom roles based on a set of predefined role templates, then scope those roles so that the role holders are limited to carrying out management tasks in a given site or a given OU. Definitely a handy little tool to have in your tool belt.

However (and this is a big "however") there is at least one major limitation to these custom roles: you have no control over the cmdlets assigned to them. Yes, you can create a custom role based on the CsHelpDesk template, and any users holding that custom role will be able to run the 150 or so cmdlets assigned to that role. But what if that's more cmdlets than you would like those users to be able to run? What if you only wanted to give these users permission to run a handful of cmdlets, like maybe just the archiving configuration cmdlets? (A somewhat … unusual … thing to do, sure. But hey, we're not here to tell you how to run your business.) The harsh, cold reality is this: you can't do it. You have to allow those users access to all the cmdlets that were pre-assigned to their role, like it or not.

Hey, don't you start sobbing uncontrollably. Yes, that's the way things worked in Lync Server 2010. But things are different in Lync Server 2013 Preview. You want to create a custom RBAC role that only gives users the right to run the four CsArchivingConfiguration cmdlets. Well, why didn't you say so:

New-CsAdminRole –Identity LyncArchivers –Template CsHelpDesk –Cmdlets "Get-CsArchivingConfiguration","New-CsArchivingConfiguration","Remove-CsArchivingConfiguration","Set-CsArchivingConfiguration"

So that really going to work? You bet it's going to work. For example, here's what the Lync Server Control Panel looks like when our old friend Ken Myer (who's been assigned our new custom RBAC role) logs on:

Figure 1. What Control Panel looks like to a user who has been assigned an RBAC role that includes just four archiving cmdlets.

As you can see, there's only one thing Ken can do when it comes to administering Lync Server: he can manage the archiving configuration settings. Which is all we ever wanted him to do.

Pretty cool, huh? And yes, as a matter of fact, that does make up for losing the gold medal, doesn't it?

Pretty much, anyway.

3: You can use these cmdlets to move users into and out of the unified contact store!

This might be hard to believe, but there was a time when neither beach volleyball nor BMX cycling were Olympic sports. (Yes, it did take a lot of nerve to bill yourself as the world's premier sporting event when you didn't even have rhythmic gymnastics, didn’t it?)

Times change, however, and often times change for the best. For example, the Olympics were also good, but now that they've added real sports, like trampoline, they're even better. Lync Server 2013 Preview has always been good, but now that Lync Server had added the unified contact store, well, it's even better.

The unified what? The unified contact store. Remember the old days, back before the world had sports like synchronized diving? Well, back in those days people also had to maintain at least two contact lists: one list to be used in Microsoft Outlook and a second list to be used in Microsoft Lync. Need to create a new contact? You'll actually have to create two contacts: one in Outlook and a duplicate contact in Lync. Need to delete an existing contact? (Sorry, Grandma.) You also have to do that twice: you'll have to delete Grandma from both Outlook and from Lync.

Now, admittedly, in the grand scheme of life having to manage two contact lists might not be the worst thing that could ever happen to you. Still, it was a hassle, especially for people who need to manage large contact lists. But, then again, what are you supposed to do about that?

As it turns out, what you're supposed do about that is this: upgrade to Lync Server 2013 and Exchange Server 2013. Do that and you'll suddenly (well, maybe not suddenly: there is little bit of setup and configuration required) have access to the unified contact store: a single set of contacts that can be viewed (and managed) in either Outlook 2013 or in Lync 2013. (And, just to sweeten the deal, in Outlook Web Access 2013 to boot!)

Boy, that didn't take long: you say you've already done all the setup and configuration and now just need to know how to give users access to the unified contact store? We can do that. To give a user access to the unified contact store you need to do two things: 1) you need to create a new user services policy (or modifying an existing user services policy) that allows access to the unified contact store; and, 2) you need to make sure that this policy is applied to the appropriate users. For example, you can use a command like this to create a new per-user user services policy that gives users access to the unified contact store:

New-CsUserServicesPolicy –Identity "AllowUnifiedContactStore" –UcsAllowed $True

See how that works? All we had to do was set the UcsAllowed parameter to True ($True). And then, because this is a per-user policy, we then just need to assign the policy to any user we're going to let use the unified contact store. You know, like this:

Grant-CsUserServicesPolicy –Identity "Ken Myer" –PolicyName "AllowUnifiedContactStore"

And then what do we do? That's the best part: nothing. At this point we just sit back and wait for Ken Myer to log on using Lync 2013; when he does that Lync Server and Exchange Server will take care of the rest. And while we hadn't really thought about it, you're right: this is an awful lot like synchronized diving, isn't it?

Only better.

And what if you later decide to move Ken out of the unified contact store for some reason? No problem. First, make sure he has a user services policy that prohibits access to the store (that is, a policy where UcsAllowed is set to False). After that, just run the Invoke-CsUcsRollback cmdlet:

Invoke-CsUcsRollback –Identity "Ken Myer"

Note. A tip of the hat to Crystal the Monkey for cluing us in to how to move a user out of the unified contact store. Thanks, Crystal!

That's about all we have time for, at least for the moment. Does that mean that this is all that you can do with Windows PowerShell in Lync Server 2013 Preview? Not exactly: there are a lot more things you can do than what we've showed you today. To be honest, we limited today's article to three things simply because we didn't want anyone to become overexcited and overstimulated. But we'll see what we can do over the next few weeks or so to fill you in on even more of the cool new capabilities of Lync Server 2013 Preview.

You know, just as long as they're not showing re-runs of the modern pentathlon. See you soon!

Lync Server Resources

We Want to Hear from You

Comments (1)
  1. Thanks for the valuable information. I really do like the RBAC stuff. It's so much easier to achive than how we do it in Exchange… Christian

Comments are closed.

Skip to main content